CVE-2020-1740: Information Exposure

March 16, 2020 (updated August 7, 2021)

A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes ansible-vault edit, another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely.

References

bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1740
nvd.nist.gov/vuln/detail/CVE-2020-1740

Detect and mitigate CVE-2020-1740 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →